[VoiceOps] Web Attacker Blacklist
orenyny at gmail.com
Wed Oct 23 08:37:36 EDT 2013
Did you intend to provide the script for others to use and add data, or
just the data you collected so far?
On Wed, Oct 23, 2013 at 8:04 AM, J. Oquendo <sil at infiltrated.net> wrote:
> On Tue, 22 Oct 2013, Jay Hennigan wrote:
> > On 10/22/13 6:57 AM, J. Oquendo wrote:
> > >
> > > Going to cross post this to the list (I know some of us
> > > criss-cross lists). Reasoning, a lot of IP PBXs have
> > > web based interfaces, and some need to be on the public
> > > Internet.
> > >
> > > Cobbled together a script to scrape my logs, parse out web
> > > based attackers (SQLi, XSS, CSRF, etc) and compile said list
> > > for blacklisting. Script is pulling from 6 different web
> > > servers for now. I may add more later depending on whether
> > > or not I see a lot of usage.
> > >
> > > http://www.infiltrated.net/webattackers.txt
> > Thanks. I personally would like to see it as solely raw IP addresses
> > rather than a mix of IPs and PTRs. The PTRs may not match forward DNS,
> > particularly if a bad guy has control of rDNS.
> I changed it up, but will leave existing domains on there.
> I thought about this (domains vs. IPs) in the sense that,
> filtering (WAF) often tends to rely on domains. Then I
> thought about matching domains to IPs on that instance but
> it wouldn't have been cumbersome considering anyone can
> edit /etc/hosts or c:\windows\system32\etc\drivers\hosts
> so I left it alone. As of about 20 minutes of the original
> post, I re-configured Apache to stop hostname lookups.
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
> "Where ignorance is our master, there is no possibility of
> real peace" - Dalai Lama
> 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
> VoiceOps mailing list
> VoiceOps at voiceops.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the VoiceOps